Firmware flaw affects numerous generations of Intel CPUs — UEFI code execution vulnerability found for Intel CPUs from 14th Gen Raptor Lake to 6th Gen Skylake CPUs, and TPM will not save you

News
By
published

Eclypsium Automata uncovers Phoenix as the latest to fall to a significant Arbitrary Code Execution exploit impacting Lenovo, AMI, Insyde, and Intel motherboard firmware.

Eclypsium graphic short-handing how the buffer overflow UEFI exploit jeopardizes nearly any system.
Eclypsium graphic short-handing how the buffer overflow UEFI exploit jeopardizes nearly any system. (Image credit: Eclypsium)

Using its automated binary analysis system Eclypsium Automata, Eclypsium has uncovered the existence of high-impact security vulnerabilities in Phoenix SecureCore UEFI firmware used by a wide variety of motherboard providers and Intel CPUs spanning from 14th Gen to 6th Gen—all the "Lakes" in other words. This vulnerability also extends to several other UEFI BIOS vendors, including Lenovo, Intel, Insyde, and AMI. Phoenix is the latest to join the list.

The specific Phoenix SecureCore UEFI firmware vulnerability that prompted this posting is referred to as "UEFIcanhazbufferoverflow" by Eclypsium, which is just a funny way of pointing out that this is a buffer overflow exploit. The specific method in which the "UEFIcanhazbufferoverflow" exploit works is by using an unsafe call to the "GetVariable" UEFI service.

By making unsafe calls, a stack buffer overflow can be created, allowing for arbitrary code to be executed. In the BIOS or its modern counterpart, the UEFI, even a buffer overflow allows for full-system access and control to be gained very quickly, and the consequences of that happening can be challenging to remove from a PC permanently. Sometimes, it may even be impossible without replacing the machine entirely— and that's not counting passwords and such that may become compromised and still need changing between machines.

Any potentially impacted Intel user should update their BIOS to protect from this issue as soon as possible, though not before creating backups of important files and the original BIOS just in case something goes wrong. Since exploits impacting UEFI are as close to Layer 0 as they get with PC hardware, it's essential for all parties involved to act as quickly and safely as possible.

As noted by Eclypsium, this Phoenix vulnerability was discovered in a hands-off manner by its Automata security system, which is an automated binary analysis system using the research data of Eclypsium's own researchers. While there are certainly issues with things like AI-written code and AI "generated" art, it's always nice to see cutting-edge AI and machine learning tech put toward something useful for humanity.

Christopher Harper
Christopher Harper
Contributing Writer

Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.

See more CPUs News
28 Comments Comment from the forums
  • Pierce2623
    So is this any different from all these other modern “vulnerabilities” that require physical access to the PC to make it vulnerable?
    Reply
  • -Fran-
    Pierce2623 said:
    So is this any different from all these other modern “vulnerabilities” that require physical access to the PC to make it vulnerable?
    While I get why you may be dismissive, you have to consider most big Corpos are now fully using notebooks and people carry them everywhere, so chances of stealing one and tampering with it are just growing year over year.

    Server and, to a degree, desktop PC is low-ish risk. Laptop, this (like any other with physical access) matters quite a bit.

    Regards.
    Reply
  • rluker5
    -Fran- said:
    While I get why you may be dismissive, you have to consider most big Corpos are now fully using notebooks and people carry them everywhere, so chances of stealing one and tampering with it are just growing year over year.

    Server and, to a degree, desktop PC is low-ish risk. Laptop, this (like any other with physical access) matters quite a bit.

    Regards.
    But if you have your drive bitlocked with an fTPM, isn't that secure to UEFI tampering with the worst possible outcome of the drive becoming unreadable, which is a moot point if someone already stole your work laptop and has it in pieces in a lab somewhere? I don't think companies care that much about the laptop hardware if it is stolen, just the information on it.
    Reply
  • -Fran-
    rluker5 said:
    But if you have your drive bitlocked with an fTPM, isn't that secure to UEFI tampering with the worst possible outcome of the drive becoming unreadable, which is a moot point if someone already stole your work laptop and has it in pieces in a lab somewhere? I don't think companies care that much about the laptop hardware if it is stolen, just the information on it.
    You're not necessarily wrong, but the mere fact you can't physically destroy it is still a risk in and off itself. Remember it's not about it being impossible to decrypt, but a matter of time.

    Depending on the Industry you are, it may be more or less important and, on average, I do believe you're correct. Still, there's plenty Industries nowadays where they're implementing remote-destruction for such cases.

    Regards.
    Reply
  • mac_angel
    -Fran- said:
    You're not necessarily wrong, but the mere fact you can't physically destroy it is still a risk in and off itself. Remember it's not about it being impossible to decrypt, but a matter of time.

    Depending on the Industry you are, it may be more or less important and, on average, I do believe you're correct. Still, there's plenty Industries nowadays where they're implementing remote-destruction for such cases.

    Regards.
    these are very rare cases when compared to the masses; and I'd hazard a guess that it's probably less than 0.001% of all the computers out there. And they should all have a lot of various security options on these laptops.
    So, how does this affect everyone else? Is this another "exploit" that needs physical access to the hardware to do anything? If so, then pretty much every single home PC is not at risk. Every kid in high school, and probably college would be at very low risk, too.
    Reply
  • bit_user
    rluker5 said:
    But if you have your drive bitlocked with an fTPM, isn't that secure to UEFI tampering with the worst possible outcome of the drive becoming unreadable,
    Not sure about that. Whenever I upgrade the BIOS of my Alder Lake corporate Dell PCs, it disables bitlocker and reboots, to do the install, then re-enables bitlocker. Seems like an exploit could take advantage of that.

    Also, does any part of UEFI firmware stay resident, while the OS is running? Or is UEFI exclusively just a pre-boot environment?
    Reply
  • bit_user
    The article said:
    The specific Phoenix SecureCore UEFI firmware vulnerability that prompted this posting is referred to as "UEFIcanhazbufferoverflow" by Eclypsium, which is just a funny way of pointing out that this is a buffer overflow exploit.
    I approve of this reference.
    Reply
  • But cannot be exploited.

    Exploitation is less likely because this is something an attacker would use after gaining access to the system to maintain persistence. That's why Eclypsium is not releasing a proof-of-concept exploit.

    This one also seems less ‘developed’ vulnerability than LogoFail. Because it does not have stages of payload deployment after being executed, and is specific to the Phoenix BIOS.
    Reply
  • -Fran-
    mac_angel said:
    these are very rare cases when compared to the masses; and I'd hazard a guess that it's probably less than 0.001% of all the computers out there. And they should all have a lot of various security options on these laptops.
    So, how does this affect everyone else? Is this another "exploit" that needs physical access to the hardware to do anything? If so, then pretty much every single home PC is not at risk. Every kid in high school, and probably college would be at very low risk, too.
    What are you refering to with "these very rare cases"?

    And as I said, the number is growing anyway. Why would a business, any business, would risk losing information if they could easily avoid it?

    I don't diagree with the rest of what you said, as I said so myself in the original reply. If this would be important, it would be for corporate users with confidential/restricted/critical information in their laptops.

    As for the likelihood of exploitation... I'm not clear TBH, so I can't comment in that particular, but very relevant, tidbit.

    Regards.
    Reply
  • Alvar "Miles" Udell
    While there are certainly issues with things like AI-written code and AI "generated" art, it's always nice to see cutting-edge AI and machine learning tech put toward something useful for humanity.

    Just wait until the bug bounty hunters complain about losing tens of thousands of dollars per year because AI took their jobs...
    Reply